Charging docs: Broken bottle used in East Anchorage stabbing

Legal loopholes could allow wider NSA surveillance, researchers say

Secret loopholes exist that could allow the National Security Agency to bypass Fourth Amendment protections to conduct massive domestic surveillance on U.S. citizens, according to leading academics.

The research paper released Monday by researchers at Harvard and Boston University details how the U.S. government could “conduct largely unrestrained surveillance on Americans by collecting their network traffic abroad,” despite constitutional protections against warrantless searches.

One of the paper’s authors, Axel Arnbak of Harvard University’s Berkman Center for Internet & Society, told CBS News that U.S. surveillance laws presume Internet traffic is non-American when it is collected from overseas.

“The loopholes in current surveillance laws and today’s Internet technology may leave American communications as vulnerable to surveillance, and as unprotected as the internet traffic of foreigners,” Arnbak said.

Although Americans are afforded constitutional protections against unwarranted searches of their emails, documents, social networking data, and other cloud-stored data while it’s stored or in-transit on U.S. soil, the researchers note these same protections do not exist when American data leaves the country.

Furthermore, they suggest that Internet traffic can be “deliberately manipulated” to push American data outside of the country. Although the researchers say they “do not intend to speculate” about whether any U.S. intelligence agencies are actually doing this, they say it could provide a loophole for vacuuming up vast amounts of U.S. citizen data for intelligence purposes, thus “circumventing constitutional and statutory safeguards seeking to protect the privacy of Americans,” they warned.

The academic paper lands just over a year since the Edward Snowden revelations first came to light, outlining the massive scope of U.S. government surveillance, under the justification of preventing terrorism. Although the classified programs that make up the NSA’s data acquisition arsenal have only recently been disclosed over the past year, the laws that govern them have been under close scrutiny for years. The paper only adds fuel to the fire of the intelligence agency’s alleged spying capabilities, which have been heavily criticized by civil liberties and privacy groups alike.

“The fix has to come from the law — the same laws that apply to Internet traffic collected domestically should also apply to traffic that is collected abroad,” the paper’s co-author, Sharon Goldberg of Boston University’s Computer Science Department, said.

While the researchers do not say whether these loopholes are being actively exploited — saying their aim is solely to broaden the understanding of the current legal framework — the current legislation as it stands “opens the door for unrestrained surveillance,” they write.

Since the September 11 terrorist attacks, the subsequent introduction of the Patriot Act allowed certain kinds of data to be collected to help in the fight against terrorism — so-called “metadata,” such as the time and date of phone calls and emails sent, including phone numbers and email addresses themselves. But the contents of those phone calls or emails require a warrant. The classified documents leaked by Edward Snowden showed that while the public laws have been in effect for years or even decades, the U.S. government has used secret and classified interpretations of these laws for wider intelligence gathering outside the statutes’ text.

The Obama administration previously said there had been Congressional and Judicial oversight of these surveillance laws — notably Section 215 of the Patriot Act, which authorized the collection of Americans’ phone records; and Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorized the controversial PRISM program to access non-U.S. residents’ emails, social networking, and cloud-stored data.

But the researchers behind this new study say that the lesser-known Executive Order (EO) 12333, which remains solely the domain of the Executive Branch — along with United States Signals Intelligence Directive (USSID) 18, designed to regulate the collection of American’s data from surveillance conducted on foreign soil — can be used as a legal basis for vast and near-unrestricted domestic surveillance on Americans.

The legal provisions offered under EO 12333, which the researchers say “explicitly allows for intentional targeting of U.S. persons” for surveillance purposes when FISA protections do not apply, was the basis of the authority that reportedly allowed the NSA to tap into the fiber cables that connected Google and Yahoo’s overseas to U.S. data centers.

An estimated 180 million user records, regardless of citizenship, were collected from Google and Yahoo data centers each month, according to the leaked documents. The program, known as Operation MUSCULAR, was authorized because the collection was carried out overseas and not on U.S. soil, the researchers say.

The paper also said surveillance can also be carried out across the wider Internet by routing network traffic overseas so it no longer falls within the protection of the Fourth Amendment.

However, an NSA spokesperson denied that either EO 12333 or USSID 18 “authorizes targeting of U.S. persons for electronic surveillance by routing their communications outside of the U.S.,” in an emailed statement to CBS News.

“Absent limited exception (for example, in an emergency), the Foreign Intelligence Surveillance Act requires that we get a court order to target any U.S. person anywhere in the world for electronic surveillance. In order to get such an order, we have to establish, to the satisfaction of a federal judge, probable cause to believe that the U.S. person is an agent of a foreign power,” the spokesperson said.

The report highlights a fundamental fact about Internet traffic: Data takes the quickest route possible rather than staying solely within a country’s borders. Data between two U.S. servers located within the U.S. can still sometimes be routed outside of the U.S.

Although this is normal, the researchers warn data can be deliberately routed abroad by manipulating the Internet’s core protocols — notably the Border Gateway Protocol (BGP), which determines how Internet traffic is routed between individual networks; and the Domain Name Service (DNS), which converts website addresses to numerical network addresses.

If the NSA took advantage of the loophole by pushing Internet traffic outside of the U.S., it would have enough time to capture the data while it is outside the reach of constitutional protection.

The researchers rebuffed the NSA’s statement in an email: “We argue that these loopholes exist when surveillance is conducted abroad and when the authorities don’t ‘intentionally target a U.S. person’. There are several situations in which you don’t ‘target a U.S. person’, but Internet traffic of many Americans can in fact be affected.”

“We cannot tell whether these loopholes are exploited on a large scale, but operation MUSCULAR seems to find its legal and technical basis in them.”

Mark M. Jaycox, a legislative analyst at the Electronic Frontier Foundation (EFF), said: “If you are intentionally spying on a U.S. person, the government must go to the FISA Court,” he said. “That’s the way the law is supposed to operate.”

Describing how the NSA says it never “intentionally collects” U.S. information, he warned the agency’s foreign data dragnet would inevitably include U.S. data.

“The NSA is an intelligence organization — it’s going to be targeting foreigners. But it’s the way that its targeting millions of foreigners, and millions of foreign communications that will eventually pick up U.S. persons’ data and information. And once that data has been collected, it must be destroyed.”

“It’s a question the NSA can’t reconcile, so they lean heavily on saying they never ‘intentionally collect’ the U.S. person information,” he said

A recent primer on EO 12333 written by the privacy group said the order “mandates rules for spying… on anyone within the United States.” The group also notes because the order remains inside the Executive Branch, the Obama administration could “repeal or modify” it at will.

The American Civil Liberties Union said in a post on its website that the U.S. government interprets USSID 18 to “permit it to sweep up Americans’ international communications without any court order and with little oversight.”

He added that there should be a uniform set of laws that protect Americans’ privacy regardless of where they are in the world, and that Congressional oversight of all rules governing surveillance is needed for comprehensive reforms.

The ACLU has also filed a Freedom of Information lawsuit with a federal court in New York, questioning “whether it [EO 12333] appropriately accommodates the constitutional rights of American citizens and residents whose communications are intercepted in the course of that surveillance.”

Although there is no direct evidence yet to suggest the NSA has exploited this loophole, network monitoring firm Renesys observed two “route hijacking” eventsin June and November 2013 that led Internet traffic to be redirected through Belarus and Iceland on separate occasions. These events are virtually unnoticeable to the ordinary Internet user, but the side effect is that U.S. data may be readable by foreign governments traveling through their country’s infrastructure. It also could allow the NSA to capture that data by treating it as foreign data.

These legal and technical loopholes can allow “largely unrestrained surveillance on Americans communications,” the researchers wrote.

The NSA, whose job it is to produce intelligence from overseas targets, said for the first time in August 2013 that it derives much of its “foundational authority” for its operations from EO 12333. Recent Snowden disclosures shed new light on understanding the capabilities of the executive order.

It was also recently revealed that Snowden himself questioned the legal authority of EO 12333, according to one declassified email exchange released by the Director of National Intelligence James Clapper.

According to John Schindler, a former NSA chief analyst, speaking to The Washington Post in October, the sole aim of the NSA’s “platoon” of lawyers’ is to figure out “how to stay within the law and maximize collection by exploiting every loophole.”

“It’s fair to say the rules are less restrictive under [EO] 12333 than they are under FISA,” he added.

FISA expanded the NSA’s powers allowing it to obtain foreign intelligence — including economic and political surveillance of foreign governments, companies, news outlets and citizens. But the amended law in 2008 also restricted what can be collected on U.S. citizens.

The so-called “targeting” and “minimization” procedures, which remain classified but were reported as a result of the Snowden leaks, were introduced to ensure any data inadvertently collected on U.S. citizens from overseas would not be used in investigations. These were later criticized following subsequent leaks which suggested the rules on collecting U.S. persons’ data were more relaxed than the statute led the public to believe.

U.S. intelligence agencies can only do so much with U.S. data, therefore they have a “strong incentive to conduct surveillance abroad,” the researchers say, because legal protections under the Fourth Amendment and FISA do not apply outside U.S. territory.

“Programs under EO 12333 may collect startling amounts of sensitive data on both foreigners and Americans,” the paper summarizes, “without any meaningful congressional or judiciary involvement.”

Related Stories

Lifestyle

Apple WWDC 2014: iPhone, iPad updates, “smart home” system and more

by CBS/AP on Jun 02, 13:01

Apple kicked off its 2014 Worldwide Developers Conference in San Francisco today with a slew of new product announcements and updates, most of which will be available in the fall to the general public. Internet of Things: Apple announced a much-anticipated move into the ”smart home” technology market. It will allow users to control connected gadgets and appliances from […]

News

New phone scam hits Alaska

by Shannon Ballard on Jan 31, 21:37

ANCHORAGE - Crooks are preying on your curiosity. The Better Business Bureau said a new phone scam is hitting Alaskans. Scammers use automated equipment to dial thousands of cell phones, but hang up after just one ring. People return the calls and that’s when they’re charged unauthorized fees. Returned calls are often directed to expensive international […]

Politics

Obama’s NSA changes raise more questions than answers

by Stephanie Condon / CBS News on Jan 17, 9:52

President Obama on Friday announced a series of reforms to the nation’s surveillance apparatus, including steps to add more privacy safeguards to a controversial National Security Agency program that collects Americans’ phone records in bulk. The reforms, however, leave a number of open questions for Congress and other government officials to resolve. “We have to […]

News

Are you sober? Check your cell phone

by Lauren Maxwell on Dec 31, 19:43

ANCHORAGE - There seems to be an app for everything, including ones that claim to monitor how much you can safely drink. They’re available for iPhones and Androids, but just how accurate are they? Anchorage police say it’s not a smart idea to let your smartphone decide if you are sober enough to drive. They don’t recommend […]

Latest Stories

Crime

Anchorage man sentenced to 9 years for armed bank robbery

by KTVA CBS 11 News on Mar 03, 13:34

An Anchorage man was sentenced to 9 years in prison Tuesday after pleading guilty to robbing a local bank and threatening a bank teller with a gun. James Surrells, 44, was sentenced by Chief U.S. District Court Judge Ralph R. Beistline to serve 108 months in prison for robbing the First National Bank of Alaska on Northern Lights […]

News

Buddy Holly plane crash investigation to be reopened?

by CBS News/Associated Press on Mar 03, 12:11

The National Transportation Safety Board has agreed to consider reopening the investigation into the Iowa plane crash that killed musicians Buddy Holly, Ritchie Valens, J.P. “The Big Bopper” Richardson, and pilot Roger Peterson. The Globe Gazette reports that the board has agreed to consider another investigation after receiving a letter from L.J. Coon, an experienced pilot from New […]

Lifestyle

Prehistoric tool found in Sitka landslide

by Shannon Kemp on Mar 03, 11:56

Two hydrologists taking geological samples from the site of a landslide in Sitka made an unexpected discovery — what appeared at first to be a “cool weathered rock” instead turned out to be a prehistoric hammer. Sitka Ranger District hydrologist Marty Becker and Tongass Forest Supervisors Office hydrologist K.K. Prussian were collecting rock samples in […]

News

Voter registration deadline looms for Anchorage election

by KTVA CBS 11 News on Mar 03, 11:46

Anchorage residents have until Sunday, March 8 to register to vote in the April municipal election. Residents must be at least 18 years old on Election Day — April 7 — for their vote to count. This Sunday is also the last day you can update your voter information, according to a release from the municipality. […]

News

House votes to fund Department of Homeland Security through September

by Jake Miller / CBS News on Mar 03, 11:42

They came, they saw, they blinked. The House of Representatives passed a bill on Tuesday funding the Department of Homeland Security through the end of September, effectively ending a congressional standoff that nearly shut the department down at the end of last week. The bill, identical to a measure that passed the Senate last Friday, passed […]

News

David Petraeus enters plea deal with Justice Department

by CBS News/Associated Press on Mar 03, 11:26

The U.S. Department of Justice announced in a statement that former CIA director and top U.S. general in Afghanistan and Iraq, David Petraeus, has agreed to plead guilty to mishandling classified materials. Petraeus will now be able to avoid a trial over whether he gave classified materials to his mistress and biographer, Paula Broadwell, while […]

DayBreak

Travel Tuesday takes to New Orleans

by Daybreak Staff on Mar 03, 11:15

If you can’t wait any longer for those warmer temperatures, a flight to New Orleans for spring break might be in order. Daybreak Travel Guru Scott McMurren is already there. He joined the Daybreak crew via Skype Tuesday morning to share some of his experiences down south, should you want to follow his lead. Alaska Airlines recently […]

Crime

Mat-Su Valley high-speed chase ends with suspect up a tree

by KTVA CBS 11 News on Mar 03, 10:47

An Alaska State Trooper car chase ended with a suspect hiding in a cottonwood tree Monday. Troopers first spotted 38-year-old Jason Rose driving a blue Jeep Cherokee along the Palmer-Wasilla Highway around 5:30 p.m. Rose had three outstanding warrants for his arrest, and when troopers tried to pull him over he fled, leading troopers on […]